Description

A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Users with the "login as other users" capability (such as administrators/managers) can access other users' Dashboards, but the JavaScript those other users may have added to their Dashboard was not being escaped when being viewed by the user logging in on their behalf.

Remediation

References

CVE-2019-3847

Related Vulnerabilities

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-8157)

WordPress Plugin Ad Inserter-Ad Manager & AdSense Ads Remote Code Execution (2.4.21)

WordPress Plugin InstaWP Connect-1-click WP Staging & Migration Security Bypass (0.1.0.8)

Jboss EAP Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2009-3554)

WordPress Plugin Easy Forms for MailChimp Unspecified Vulnerability (6.3.2)

Severity

High

Classification

CVE-2019-3847 CWE-20 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities